00. The Pareto Botnet - Advanced Cross-Platform Android Malware Using Amazon AWS 
Spotted in the Wild - An Analysis 
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We've decided to a look at the recently discovered Pareto Botnet using Maltego in combination 
with WhoisXML API's integration for the purpose of offering and providing additional actionable 
intelligence on the campaign which could be useful to researchers and vendors on their way to 
track down and respond to the cyber attack campaigns. 


In this article we'll discuss in-depth the Pareto Botnet and offering practical and actionable 
intelligence on the actual C&C infrastructure which also includes the use of Amazon’s AWS for 
C&C (Command and Control) purposes. 
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Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s 
Integration 


Sample malicious C&C server domains known to have participated in the campaign: 


aminaday[.]Jcom 
iamadsco[.]com 
admarketingads[.]com 
mobileadsrv[.]com 
adsrvus[.]com 
admobilerv[.]com 
webadsrv[.]com 
adstreamrv[.]com 
adadsrv[.]Jcom 
advertisementforyou[.]com 
adservernet[.]co 


kryptonads[.]com 
videoscommercials[.]com 
streamadsonline[.]Jcom 
springrollfit[.Jcom 
rolladstech[.Jcom 
fullfacility[.]net 
digitalmobilespace[.]Jcom 
admguide[.]com 
admmart[.]Jcom 
digimobileworld[.]Jcom 
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Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API's 
Integration 


Sample malicious and rogue IPs known to have participated in the campaign: 
4[.J236[.]25[.]172 

54[.]86[.]138[.]219 

52[.]23[.]54[.]114 

52[.]39[.]34[.]238 

54[.]68[.]196[.]177 

34[.]217[.]164[.]136 

44[.]239[.]49[.]7 

44[.J229[.]182[.]18 

54[.]144[.]32[.J227 


Sample known Amazon AWS C&C server domains known to have been involved in the 
Pareto Botnet: 

hl-legals[.]s3-us-west-2[.]Jamazonaws[.]com 

ui2beehome|[.]s3-us-west-2[.Jamazonaws[.]Jcom 

774f91 3e-production-weconv-abee-330827228].]us-east-1[.]elb[.Jamazonaws[.]com 
crew-mobile-assets[.]s3-us-west-2[.]amazonaws[.]com 


bsftassets[.]s3-us-west-2[.]Jamazonaws[.]com 
cmpplatform-556433186[.]us-east-1[.Jelb[.Jamazonaws[.]com 
mcpemasterconfig|[.]s3[.Jamazonaws[.]com 
eee4fwdOcpfbtg8n-9e855e4b9bb4d37 1[.]elb[.Jeu-central-1[.]Jamazonaws[.]Jcom 
$3-1-w[.Jamazonaws[.]com 
c4-710722927|.]us-west-2[.]elb[.Jamazonaws[.]com 
pro-api-lb-212444944] Jap-southeast-1[.Jelb[.Jamazonaws[.]com 
adn-cronus-vg-external-2138794050[.]us-east-1[.Jelb[.Jamazonaws[.]Jcom 
up-cm-vpc-137845722[.]Jus-west-1[.Jelb[.]Jamazonaws[.]Jcom 
adn-tksetting-fk-45 1124493]. ]eu-central-1[.Jelb[.Jamazonaws[.]Jcom 
www-pangu-net-1090115676[.]eu-west-1[.Jelb[.Jamazonaws[.]com 
ludo-userserver-158076954].Jap-south-1[.]elb[.Jamazonaws[.]com 
business-1539604941[.Jeu-west-1[.Jelb[.Jamazonaws[.]Jcom 
s3[.Jamazonaws[.]com 
bigdatasdk-1248540703[.]us-west-2[.]elb[.Jamazonaws[.]com 
cm-infoc-2-1663642949].Jus-west-2[.]elb[.Jamazonaws[.]com 
ttm-pub-stuff[.]s3-us-west-2[.]Jamazonaws[.]com 
clientapps-us[.]S3-us-west-2[.]Jamazonaws].]com 
$3-r-w[.]us-west-1[.]Jamazonaws|[.]Jcom 
cmwww-1879783141[.Jus-west-1[.Jelb[.Jamazonaws[.]Jcom 
s3-us-west-2[.Jamazonaws[.]com 
$3-us-west-2-r-w[.]Jamazonaws[.]com 
s3-r-w[.]eu-central-1[.]Jamazonaws[.]com 
cmwww-https-net-1244732952[.]us-west-1[.Jelb[.Jamazonaws[.]Jcom 
bc20[.]s3[.]eu-central-1 [.Jamazonaws][.]Jcom 
c3-1760408482[.]us-west-2[.]elb[.Jamazonaws[.]com 
dcs-edge-va6-802167536].]us-east-1[.]elb[.Jamazonaws[.]com 
cms-cbk-prod-ks-1959301 343[.Jus-west-2[.]elb[.Jamazonaws[.]com 
up-pangu-net-1224294475[.]eu-west-1[.Jelb[.Jamazonaws[.]com 
Mdl2021[.]s3-us-west-2[.Jamazonaws[.]com 
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Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API’s 
Integration 


Malicious MD5s known to have participated in the campaign: 
ca195236ac/dc0758a631 ffd9c23b53bb6fe7 b3e30cd83d7c07eefc8cc285185 
21f8d957e240ab7001469efd1de6131b809d075ca6f7496200eb1 5803cd5896F 
a/7a/0033e6920b6ba8cd5e689bbc53f7fdb1 00dO0cdc8da8fdeadf2d7 edaf21a6 
91869c892e41c041533e31ae00f5050d0ed37eaa160d911d41f1a99038e1c96b 
788ae59a7ab36816ecb40a1 285d 1e23ab/7882a761647db4bb62d066f85 /cffd6 
28ff90e8 2fafcc7ec4578e1 504ca2c4180f610069591a97879777334262e8 115 
57241 8fad463daae11a0276cc877a8d72cefa0c930f953f72dfafB3e9ded0e8e 
32c¢1afd4b048e9845f5ad991 bf2a7ad5c239921f234df6e70a864bc099699033 
258967b20ec5642d9a8fa421f46c8676ae87 5fffb1 552a33ffa14c892d64d4ca 
a4c84d172dc94cb84c88f7ccafe66d85af96a4ee3c7 229293271 4afe9ed526ac 
6a833f608de3259 1b000848158b7e1b9483a4e806ce4 1e20ecddd137a223101b 
ab723f72c5637647 9a80db/7b3b238edff75b514630cfc26bfe2a73ff1 db81dd5 
442de86cbf6ae906667cd592002c5a2df60a04b4988 102f9bc025c4003f87eea 
edbac42951 cbceffdd4 1 c6f9083d01dc6aa5e53f7429bf6a033d6432de542de4 
df026264a6d526fbad7618ea19299f27a64 1ce06a47794413c07cffbbdbea226 
1df30a1a55c1973b47b4e9 1d2a47174c2499ffeOb38aeae03c86b68766b2e61c 
Od8a30f7e906efcfdc559caf3a24f4d20405fa0e074aab/7e1602bd64c5e0a80d 
950f0668a6177535ef029268c5cb8ed5389f115f1447a929f5744a54c9b487fc 


bd849ca8c742e2a877074f64eb6c2b570f0 7abd08bd28b70b67338dea653cebe 
41d474271b8047ba8277243f0ba8ca7 70c4496c7ee8e80780dd5a9846 3fd28f8 
b5dbc486182520c7d91fa1889691 d5a9009dcc653f816a46cc764c71c4d909ed 
42a3389db708f9baf380aef440662e1 fe3ice 7 9ed8f5250f3d38e99b07d3fb5b 
9a41e742087c743164e53044cc40a24543288e93ad54a8d4ac1ab508fida37ab6 
7888ddd272b260952b7 1005eeb872d02dcfe5db634cO0f1 20df2b69df14dae0d4 
0349ebd6d81311a2109e329685dfea39b47be580c9f60bda564ac067 96aaf4dc 
0148bc701b3f7887e26222eb8b3a6942997 cfa78b2d18311371bcdd128b/caa6 
5e156b8426391 cf1 2fcOb4b67ed0b465eefe1 Ofd8a60d0fbe52ea9da5e31 bcfa 
681 26bbec7381a5b5897917 7e67 7417470c2102d97491 780f1c38b275fd1942b 
46144fa1 8d7af4fdf324a406c9a6ab2ae619788F791eb8725c226 1dd46e78b26 
f2cf75a6d15/76ac28dc7f0ac64996cb25a489b3fa55f240c4 1 3c0ab9234a6889 
f8ad2ecd52bfa09bc0834 1a2db527d8976 1cfa156b7297 1 d6fb9820edfdd1eda 
d39580dcb86f8ace33c5aa00cabc95d65bdb5a065a2fa89826e7c/7aab6dc3492 
8616cbe383c88Ff7825f1 296a90dcf378333b691 4bfd89b33f30a12920a0bbc80 
3c5620a69f55b9eaef9518a5732977c59be4aadb2c9806a2'197db965589bf32 
c8b9d96741f8d1532afd41db12d015a4887bbb1 9e6d3f603be0bb237c2c96188 
f56d9910b44d2836aa1 7ef4580984a2625a12dd0a1da872058f4e3d7ec6bceac 
Oce1 6b5bddc47e2857 7b6cf9d75a82b02cd52faf2a73aeeb0c0666f88c6 1c63d 
ce21a6c2f87 7375601 7e6660636d32c3a93a4f0969ab3 11999991 9849eea3d1d 
88568455bda1bf1b0a7a59190112032042bb1843805204f48644e28b5dd162e9 
9a9e0ac1 4b03dcf6fdb0c2489fae1 3c78988dbc2Zebb24e5fb64f6807909f2040 
d5db7 1ef3799c088fa67 e0f3eef37 e831 fb3e93cd187c800d867442f6bcb4e01 
7d8beea898738b641 ef 782ecc42b3fe316 1dec5878657fd48b488 7db23bf0e4c 
25bbcf4b21e8140936a2eb8340ec264dda63ea73ae 1 4d6d4aa809151489d038a 
9e33fc18f293d9958ee58fcc2960e4 7aad55e5e1 aa8488810a8448a 5b47a19c4 
166a93d0826c4cb439f295aa63c11c376d7ec60b8de94fda8381359636e649a1 
Ocb13aeb54a350e36c20c0bb451 72e5757¢675722333f078bc68b54168120257a 
aee9eae90776132d16e591 4a052ca9bc6abe95c8ae0642c2efca0d4dacb918ae 
30950aaa64a76c2a5506f228e70ffa6a07fc5fff38e1e93b2c61c38015ad6d48 
f38ffabef504 1bf29539140399793f8dde09cb8bcf394c421ab8196096451b758 
bb2309b346d4736 1cb860800f32059fee08d8bbd7 2ff7c92d 16f99ab9e05d90e 
06e4e84f1df481767c7ec2a1e0b23622523af6cbc434529ecd40943b8bbd3cf4 
413c0f994f3dd82fe05c9d67ae7f129a10e301d0d5b61ead430f1 5ee6dab88ca 
32f26c3c5e9f00e869449885ec5aae1 9e2d911d9acd42dbd1ab2e734d6fecf3c 
209ecfe1964550d34d3187d019f6 15af25 1828d00f4a82adff3 7db38143d57 3f 
120f13ef5d5ce2ffc11a2e24a73beb5b82f8ce7d99433fdbba3348099bce386f 
54f6364a8a261f1caf99944896be0544bd2e55c68fc6fb8fd 1 20e56a7 1 b8ae33 
e6bcd86f90473200e1 6b5520341 dba5c092ebb 731 2df295c960fc5ca7e2835d8 
0885b8a18b7acefb670813cda3d17ebeebOceaf739b3ee5eb7 7dd6de8a4972d5 
04f8b63572d64 182835f19242376fc91c7d67c4f4322780a4 168fa5ed2853692 
91466e4df53dcce1a5ce330c9a80ceb0e2c392531a2f0b1e36d997451a45c7ec 
4b75464a9e9006d83f3138266ab63849fd9f364860fde59b79168f11696137b3 
70d90d88e95dd24634cf1cb76787a4ef1e57 7891 5e1c30428c05b0a66d65a852 


b468b86289e4edb99a7d34f0f1 5fc6c8c88721587a5eb9dbee9424 1 23d 13e6d9 
9aac7755573002ef86b73995d31 b3b61cadb588 1 Oaf721 0f8cd72e4073c03785 
1cdfd6d9107c22533836ca62da08afb74197c08247274796f46257 142eb0dd1d 
adfdbd4db2dcf4dad8f2b2b72ead7c81213ebac3b582fdec045662596450a9f3 
£33816198fd1a6d6c43073ff1 3e5e77c66132765c7df384c975cedfdc945dbb9 
9464d25ab15a49ef60a496903b455a25bbcd20f88753fa4c8fee594ba06b2385 
171e8677502148743ba72860e539b8c2efb7b9029 1bb182ba57fde280a2425bd 
302e7257a661d2e15eb0c5e1abd95a4b4f1 adc9a020856f97 1705d2450b4739b 
6648bc58c4831b136e354c723c438504a0c38ca07ab2d433efddaff3c068d4fe 
#550d2c649c811 73d7a8c2bdc08e80f3241 0ec3dc06e2f8e92456d35d84f2523 
225fb46443a033d9d7f60fd7aa25287045410ec2a030883dc7fb36058fbbd1 ec 
b8d067ccO6ecf8f8a40c28a4837bc29cd971246ad3dd4a57e4ce5a737aad8935 
c8a461a3b6c84bfcff0c205956e893c56ach84f0b8dbd3f6d7b9b4b1 38 10965f 
Ofb8d4ce5f543ce87a34eeead28034f6f58a2e9ac8566f144d915355c213617a 
4fb558f694386acaea6daa11287bfc81a07 7 2f09f0cd6d29e2756337481 08dfb 
1517844c08b58b78a34d97e64c38b7b96e8 7a9d2ae0b65923457 13ce66691427 
8eb/7c7e666166b43ae92d17c272a47adf9d0 114 ef2ff24 1bb7d0bc74d07a0f0c 
084c838c63b15f15 1 fdaa08509b83fae2b3de2324903043e0c0b3c582ab24d43 
98d 1a0475f16fb932982eee6267e2b3bf0a22054a683d2b63bccbba1f98917e5 
1ae75f041c036da4bc1ba6e6839a7870254afecaad 1 3fecb3193f5a75465df49 
61e0595cbObef4f5bf7b3754de26945dc96 7d8b 78c667c7241b14f47c8f28e7a 
a257070db410438a2aea8283164b3a4db9db10188d147322efb9af6a92a3e565 
4f76db3aa57951cb4fe19765061db47f1907047d1571d1aeceb6dd6a5000beb8 
5f29793422e3830addbbf96 7a295f5ed3e43aad456bf3882456c59978f290af8 
6967d08bb721e73b1b5ca5c2fe 146f6f253 7eaff20 756c4f1 f6bc6a4711333dd 
0f9e91 35e5bb7ad3948fa4 1023f392353e0dc1 d7f4822de7 6fb7fd5f4e9d76fd 
1373c1b43c6f99C7e2990420592d1 3b937c861c6b1 bbbc0a13f37599ae191d7b 
513786001 fd7425896f6ad8a0ac329b87 1f0f60627de6974564855c3c3ef6c20 
ef38d5d07d2707f643cd56dcbcd5b5228 14276cc2f7f58daf269dc8d8f8ea32f 
cdbc01ad19f4ada0aee92fbbcca463cbd03a461 83ca038bfd850f64dbda5f1 82 
e4b1850ebdaff1594c11 60f926cafadfb9e740ede9622 1 9d8cb2dc21f5061 8ff 
d9e2985a60dabbaed3a1052faa973cd4c3a6 175c188d9c9329b565de81 767668 
def6496ce297a9042f93087chb 1 56fefc4293c3caf225f497287b45379e927 739 
95be5411d538dbaa9e7682653a623b1 be169b165be0fcd3fdc052731 bb2aa239 
56e635151abd74731f16b05a801a4b5078a1 7b8957c3219403abbcc622aecbe8 
Jac9dc9f1 082dc73ffbd5c827b657fcc1 cba7fc8d95a30c546db139d81512d5b 
50c5bf01 8ba0856057d8102ff1 06af58248ffcac5128707 3fb 1f3b9335e40ae3 
a92cabcO0f66b7449cd3008383aef14b3446e1 3031 f3d54ef25fb 75fd64f992db 
4c316c635c8abd5f5a021 3cf1c5a1e1ed6392f8e50b1b51a33a3867c1 8bacb2b 
76e9d5ec934de4c9ff2aee38ccbhb2bf6f24 2cb6aabc6a69d68fd920227388aa10 
6e8c5c210717d227098c1683cba93926475a6074e0c4a2c77b941276edf37329 
dfc0727708363005a2ef486ae93cb6892f69252f8ba809531 9db61963a27a7ab 
47f30¢c3858c/702b3f721d257c708f0c5f452cf8f32054d7d5fe270c764a6fd8d 
44877308fad0e76e335f38c8084b503fdc7 7e5206866 1 8c0fd4aa7f28e65a7a2 


3b9116b3d554ad 1ef9715139d7c14ec5f0f297 e6af2f5f91b91 aa0bba94cb6fd0 
7488bcd88f44d848a2b587a74cadb1cda5589404ba7efc997572a5eed 1f68fb1 
fda1e17893995a73f605df3e4340b0741 6ec829fa294 1 6feffdbe23f590e4e31 
cbc8a117b072d5630ba0f88e1f85 1 ddde6d3b8a98bca185f30a7ab69be9430f5c 
b0029f8fc48869e6aecaf9 748 ab9fe6aab2bb3461c9a1843fab649145d39f518d 
46f8ecdf408d282a89d52867b05568b9838995291 7 1398492bc79374ab547a44 
d47bf5c316925eb7a25d276f5636524354ce2705c626d322457ec7a9f1869d2b 
fdc92e40c65a1a365a96e59b910153c94af351da684c27 3386507 4affi4 7 98eaf 
6324dc820b2fd04d6595a4 ad8f3e1d2470f8bb7edbba57e921bec0f524249a74 
f1edb36e6a3b4db9751e27b9dd4a1a0200901345ef20c77faabc47 1df94504df 
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Sample Screenshot of the Pareto Botnet in Action Using Maltego and WhoisXML API's 
Integration 


We'll continue monitoring the campaign and post updates as soon as new developments take 
place. 


